{"api_version":"1","generated_at":"2026-04-23T00:42:08+00:00","cve":"CVE-2023-43622","urls":{"html":"https://cve.report/CVE-2023-43622","api":"https://cve.report/api/cve/CVE-2023-43622.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-43622","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-43622"},"summary":{"title":"CVE-2023-43622","description":"An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2023-10-23 07:15:00","updated_at":"2023-11-01 18:11:00"},"problem_types":["CWE-400"],"metrics":[],"references":[{"url":"https://httpd.apache.org/security/vulnerabilities_24.html","name":"https://httpd.apache.org/security/vulnerabilities_24.html","refsource":"MISC","tags":[],"title":"Apache HTTP Server 2.4 vulnerabilities - The Apache HTTP Server Project","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20231027-0011/","name":"https://security.netapp.com/advisory/ntap-20231027-0011/","refsource":"MISC","tags":[],"title":"October 2023 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-43622","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-43622","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"43622","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"http_server","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-43622","qid":"150737","title":"Apache HTTP Server Prior to 2.4.58 Multiple Security Vulnerabilities"},{"cve":"CVE-2023-43622","qid":"199940","title":"Ubuntu Security Notification for Apache Hypertext Transfer Protocol (HTTP) Server Vulnerabilities (USN-6506-1)"},{"cve":"CVE-2023-43622","qid":"296106","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 64.157.2 Missing (CPUOCT2023)"},{"cve":"CVE-2023-43622","qid":"356549","title":"Amazon Linux Security Advisory for httpd24 : ALAS-2023-1877"},{"cve":"CVE-2023-43622","qid":"356605","title":"Amazon Linux Security Advisory for httpd : ALAS2-2023-2322"},{"cve":"CVE-2023-43622","qid":"356896","title":"Amazon Linux Security Advisory for httpd : ALAS2023-2023-433"},{"cve":"CVE-2023-43622","qid":"503432","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2023-43622","qid":"505847","title":"Alpine Linux Security Update for apache2"},{"cve":"CVE-2023-43622","qid":"691333","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (f923205f-6e66-11ee-85eb-84a93843eb75)"},{"cve":"CVE-2023-43622","qid":"907601","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (31610-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-43622","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known \"slow loris\" attack pattern.\nThis has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout.\n\nThis issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.\n\nUsers are recommended to upgrade to version 2.4.58, which fixes the issue.\n\n"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-400 Uncontrolled Resource Consumption","cweId":"CWE-400"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache HTTP Server","version":{"version_data":[{"version_affected":"<=","version_name":"2.4.55","version_value":"2.4.57"}]}}]}}]}},"references":{"reference_data":[{"url":"https://httpd.apache.org/security/vulnerabilities_24.html","refsource":"MISC","name":"https://httpd.apache.org/security/vulnerabilities_24.html"},{"url":"https://security.netapp.com/advisory/ntap-20231027-0011/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20231027-0011/"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"EXTERNAL"},"credits":[{"lang":"en","value":"Prof. Sven Dietrich (City University of New York)"},{"lang":"en","value":"Isa Jafarov (City University of New York)"},{"lang":"en","value":"Prof. Heejo Lee (Korea University)"},{"lang":"en","value":"Choongin Lee (Korea University)"}]},"nvd":{"publishedDate":"2023-10-23 07:15:00","lastModifiedDate":"2023-11-01 18:11:00","problem_types":["CWE-400"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*","versionStartIncluding":"2.4.55","versionEndExcluding":"2.4.58","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}